On Thu, Dec 23, 2021 at 10:14 AM Jeremy Huntwork <jeremy@merelinux.org> wrote:
The reason I don't see it as being a problem for me is that my intent is to release authoritative packages from one source, a CI/CD pipeline that is triggered off of the main repository. Validation and trust of humans that are allowed to push to that repository and trigger official releases can be handled via other mechanisms. Community repositories might have slightly different requirements, but my expectation is that every repository used could have one official public key.
I suppose if I did have a reason for supporting multiple keys, those would all have to be shipped/installed together and then pacman could loop through them until one of them validates the sig. asignify is fast enough though because of its methods and algorithms used (blake2) that I don't really see that as an issue either. JH